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ENDPOINT-TO-ENDPOINT 

SECURITY 

Raytheon  leverages  decades  of  cybersecurity  expertise,  providing  defense  grade  solutions  that 
enable  customers  to  monitor  endpoints  and  human  behavior.  It's  all  part  of  delivering  complete 
understanding  —  and  control  —  of  the  cyber  environment. 
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Leverage  defense  grade  cybersecurity  solutions 
to  contain  and  control  cyber  threats. 
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FUD  Management 

Keith  Turpin  has  seen  some  dire  mistakes  made  in  front  of  boards  of 
directors,  especially  when  cybersecurity  is  on  the  agenda. 

“I’ve  seen  people  go  into  board  meetings  with  a  network  diagram,”  says 
the  chief  information  security  officer  for  Dallas-based  Universal  Weather 
and  Aviation.  “You  might  as  well  be  showing  them  a  crop  circle.” 

As  you’ll  learn  while  reading  our  cover  story  (“Boards  on  Cyber  Alert,” 
page  20),  Turpin  took  an  innovative  show-and-tell  approach  to  convince 
his  board  to  fund  a  security  program  overhaul.  He  built  a  small  door  and 
fastened  it  shut  with  several  locks,  then  he  wheeled  it  into  the  boardroom 
and  proceeded  to  open  the  door  by  picking  the  locks  one  by  one.  What  had 
looked  quite  secure  was  in  fact  quite  vulnerable. 

Managing  the  board’s  FUD— fear,  uncertainty  and  doubt— on  matters 
related  to  cybersecurity  is  a  top  priority  for  CIOs  and  CSOs  everywhere. 
That’s  hardly  surprising,  given  the  frantic  drumbeat  of  media  coverage, 
high-profile  hacks  of  famous  companies,  and  staggering  statistics  about 
rising  cybercrime.  There  were  more  than  42  million  breaches  last  year,  with 
an  average  financial  hit  of  $2.7  million.  Even  worse:  Nearly  three-fourths  of 
the  victims  were  clueless  about  the  breach  for  months  afterward. 

Ready  for  some  good  news?  The  more  the  board  is  engaged  with  and 
educated  about  cybersecurity  issues,  the  stronger  the  IT  security  profile  of 
that  company.  CIOs  and  CSOs  who  excel  at  this  particular  brand  of  FUD 
management  find  that  regular,  calming,  easily  understood  communication 
with  the  board  translates  into  robust  funding  for  security  programs. 

Our  story  spells  out  some  smart  approaches  to  take  with  those  nervous 
directors,  and  provides  specific  guidance  about  how  to  lead  board  conversa¬ 
tions  away  from  cyber- scare  stories  and  back  onto  the  familiar  ground  of 
business  risk  management.  (See  “Educating  the  Board,”  page  22.) 

“Boards  don’t  know  what  they  need  to  know,”  says  Lloyd  Boyd,  CIO  of 
Shale-Inland  Holdings  in  Houston.  “It’s  important  for  us  as  CIOs  to  effec¬ 
tively  communicate  these  issues  in  practical  terms.  We’re  going  to  be  a 
victim  at  some  point,  and  we  need  to  be  prepared.” 

For  CIO  Scott  Angelo  of  K&L  Gates,  defining  risk  for  his  board  meant 
talking  about  vulnerabilities  that  need  to  be  managed— such  as  the  types 
of  people  most  likely  to  want  illegal  access  to  the  law  firm’s  data.  “I  wanted 
them  to  focus  on  what  the  true  threats  are,”  he  says.  “Then  you  know  where 
to  spend  your  money.  That  there  is  the  secret  sauce.” 
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Maryfran  Johnson,  Editor  in  Chief,  CIO  Magazine  &  Events 

mfjohnson@cio.com 
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IoT  Without  the  Hype 

When  is  an  application  really  part  of  the 

Internet  of  Things?  A  Verizon  report 
says  to  look  for  the  three  A's:  aware, 
meaning  that  the  connected  asset  must  be 
able  to  sense  something  about  its  sur¬ 
roundings,  such  as  location,  temperature 
or  motion;  autonomous,  meaning  it  col¬ 
lects  data  automatically  at  a  set  time  or 
threshold;  and  actionable,  meaning  the 
data  is  analyzed  and  integrated  into 
business  processes  to  support  decision¬ 
making.  www.cio.com/article/2899643/ 

Cyber  Insurers  Lack  Data 

Cyber  insurance  carriers  would  be  more 
generous  in  their  coverage  options  if  they 

had  more  concrete  data  about  the  risks 
that  customers  face,  says  Tom  Finan,  senior 
cybersecurity  strategist  at  the  Department 
of  Homeland  Security.  Unsurprisingly,  com¬ 
panies  aren't  publicly  disclosing  their 
damages  from  breaches  and  cyberattacks, 
so  there's  not  enough  actuarial  data. 
"Several  of  the  carriers  joining  us  have 
told  us  that  big  data  about  cyber  incidents 
could  be  a  potential  treasure  trove  that 
would  aid  their  efforts  immensely,"  Finan 
says,  www.cio.com/article/2898503/ 

The  Big  Pharma  Chasm 

While  many  CIOs  and  CMOs  don't  see 

eye  to  eye,  those  in  the  pharmaceutical 
industry  aren't  even  in  the  same  room,  But 
don't  blame  IT.  According  to  an  Accenture 
global  survey  of  22  CIOs  and  24  CMOs  in 
various  industries,  pharma  CIOs  have  the 
highest  desire  to  align  with  marketing,  but 
pharma  CMOs  rank  among  the  lowest 
in  their  desire  to  collaborate  with  IT.  One 
reason:  CIOs  have  historically  had  good 
relationships  with  the  sales  depart¬ 
ment,  not  the  marketing  function. 
www.cio.com/article/2892420/ 


Have  a  comment  about  a  story  in  this 
issue? Goto  www.cio.com/magazine or 
write  to  letters@cio.com. 
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Evolutionary  411  Twin  Architecture 
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•  Science  /  Research  environments 

•  Finance  /  Oil  &  Gas  markets 
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Outward-Bound  IT 

Who  are  your  customers?  Why  do  they  buy  from  you?  What  keeps  them 
coming  back?  What  would  turn  them  onto  your  competitors? 

Competitors?  That’s  right,  I’m  talking  about  your  external  customers, 
not  your  internal  enterprise  customers.  In  this  industry,  we  celebrate  how 
technology  has  moved  to  the  heart  of  business  strategy  and  how  IT— at 
its  very  best— can  drive  innovation  and  accelerate  competitive  advantage. 
But  along  with  all  that  comes  a  growing  need  for  CIOs  and  their  teams  to 
sharpen  their  focus  on  the  company’s  external  customers. 

Are  you  and  your  team  ready  for  the  wilds  of  a  customer-centric  world? 

I  meet  regularly  with  CIOs,  and  lately  I’ve  been  asking  these  questions: 
“If  you  could  free  up  your  IT  team  members  from  certain  day-to-day  tasks 
and  turn  their  focus  outward  to  external  customers,  would  they  embrace 
that?  Could  they  effectively  communicate  with  and  serve  those  customers?” 

I  hate  to  say  it,  but  many  CIOs  tell  me  their  teams  aren’t  ready  to  make 
such  a  transition.  This  signals  a  serious  problem  in  the  current  structure 
of  the  average  enterprise  IT  team,  and  in  the  skills  of  the  team  members. 

In  our  2015  State  of  the  CIO  survey,  the  need  to  be  externally  customer- 
focused  came  through  loud  and  clear.  When  asked  what  an  IT  team  might 
need  to  focus  on  during  the  next  12  months  in  order  to  elevate  its  relationship 
with  business  counterparts,  most  CIOs  said  “better  communication  with 
the  business.”  But  that’s  not  enough.  The  answer  from  the  304  business 
executives  we  surveyed  was  much  more  specific  and  action-oriented:  They 
said  they  want  IT  to  have  a  better  understanding  of  external  customers,  to 
the  point  of  calling  on  those  customers  and  building  direct  relationships. 

Think  about  it:  You  have  some  of  the  best  minds  and  most  innovative 
employees  on  your  teams— yet  they  face  inward,  not  outward.  What  can  you 
do  to  connect  them  directly  with  external  customers?  Wouldn’t  this  provide 
a  deeper  understanding  of  who  is  using  your  products  and  services— and 
of  why,  how  and  when  they’re  doing  so? 

The  real  challenge  for  CIOs  and  IT  organizations  today  centers  on  readi¬ 
ness  for  customer  contact.  Do  any  of  your  people  visit  customers  with  the 
sales  team?  Do  they  listen  or  respond  to  customer  service  calls? 

To  me,  connecting  with  customers  is  one  of  the  top  issues  in  enterprise 
IT  today.  I  can’t  think  of  any  better  way  to  elevate  IT’s  status  than  to  make 
it  more  outward-bound.  Write  in  and  tell  me  what  you  think. 


Adam  Dennison,  SVP  &  Publisher 

adennison@cio.com 
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Glitches,  bugs,  and  defects  are  not  an  option  in  today’s  enterprise  application 
landscape.  Are  you  still  doing  quality  assurance  with  old,  script-based 
technology?  Still  throwing  labor  at  an  automation  problem?  If  so,  then  IT 
projects  and  business  processes  may  be  at  risk.  They  don’t  need  to  be.  Let 
us  show  you  how  large  scale  enterprises  worldwide  use  Worksoft’s  top 
ranked  automation  software  to  lock  in  quality. 


Make  It  Your  Best  Shot. 


Wm  WORKSOFT 

www.worksoft.cpm/rfsk 
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People  Skills  Matter  in 
'Customer-Centric'  IT 

As  the  final  stop  in  the  IT  hiring  process  at  Atlanta-based 
PulteGroup,  CIO  Joe  Drouin  does  a  gut  check  on  how  each 
candidate  will  mesh  with  the  homebuilder’s  company  cul¬ 
ture.  “Can  I  see  this  person  walking  in  and  shaking  hands 
with  a  field  manager?”  he  asks. 

An  ability  to  engage  with  business  colleagues  has  risen 
in  importance  to  CIOs  who  are  shifting  their  IT  organiza¬ 
tions  away  from  inward-focused  mindsets  toward  more  con¬ 
sultative,  customer-focused  roles.  For  example,  at  Asbury 
Automotive,  which  operates  car  dealerships  nationwide, 
20  IT  field  technicians  have  broader  help  desk  roles  as 
store  ambassadors.  “They  walk  through  the  stores,  meet 
and  engage  with  customers  and  they  love  it,”  said  CIO  Barry 
Cohen,  who  uses  a  personality  test  to  find  people  with  these 
traits,  which  he  considers  an  ideal  mix:  “aggressiveness,  peo¬ 
ple  orientation,  a  sense  of  urgency  and  attention  to  detail.” 

Both  Drouin  and  Cohen,  who  spoke  on  a  talent  manage¬ 
ment  panel  at  our  recent  CIO  Perspectives  Atlanta  event, 
urged  the  audience  to  broaden  the  mix  of  business  and 
marketing  skills  within  IT  and  to  create  new  roles  that  con¬ 
nect  more  directly  with  customers.  -Maryfran  Johnson 


Eric  Singleton 

CIO,  Chico's  FAS 


Retailing 
In  the 
Digital  Era 

Chico's  has  developed  a 
"digital  retail  theater" 
strategy  for  its  retail 
stores.  What's  happening 
this  year? 

Two  of  the  things  that  are 
exciting  me  the  most  are 
intelligent  digital  signage, 
which  we've  been  rolling  out 
with  Google  as  a  partner,  and 
our  foray  into  augmented 


reality:  taking  our  catalogs 
and  breathing  life  into  them. 
We  also  had  an  early  aware¬ 
ness  of  the  Apple  Watch,  so 
we're  pretty  excited  about 
that.  I  think  that's  going  to 
open  up  some  new  doors  for 
[Apple]  and  the  consumer- 
and  [for  Chico's],  as  well. 

What's  the  biggest  chal¬ 
lenge  for  retailers  in 
maintaining  successful 
digital  initiatives? 

It's  keeping  up  with  and 
staying  ahead  of  all  the  new 
technology  that  never  seems 
to  stop  coming  out.  The  best 
way  we've  found  to  deal  with 
and  manage  that  is  through 
continuous  education.  We 
keep  a  robust  educational 
calendar  for  our  existing  staff 
members.  And  when  bring- 
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We  don't 

have 

'internal 

customers.' 

We're 

partners 

with  the 

business. 

-BARRY  COHEN,  CIO, 
ASBURY  AUTOMOTIVE 


PROBLEMSOLVERS 


On  leaders  and  culture: 

"Leadership  is  essential  to  [com¬ 
pany]  culture.  You  can't  just  rely  on 
|  being  a  charismatic  guy.  It’s  about 
;  having  a  well-defined  notion  of  who 
I  you  are  as  leaden  projecting  that 
>  and  shaping  enthusiasm  around  it." 

-Joe  Drouin,  CIO,  PulteGroup 

On  security  spending: 

"It's  a  lot  like  a  car.  Every  so  often 
you  need  new  brakes  or  a  tuneup. 

At  the  end  of  the  day,  security  is  a 
consistent  [expenditure],  but  a  lot 
I  of  it  is  maintenance." 

|  -Phil  Agcaoili,  5VP  and  050,  Elavon 

!  On  keeping  millennial  talent: 

"We  get  excited  about  new  ways  to 
develop  ourselves.  Any  ways  that 
|  companies  can  allow  that  is  a  great 
I  way  to  retain  us." 

-Courtney  Swafford,  Sr.  Director, 
i  Marketing,  American  Cancer  Society 
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ing  new  talent  into  the  pool, 
we  combine  their  learnings 
[with]  the  already  existing 
organization, 

What  are  the  hottest  skill 
sets  you're  looking  for 
when  hiring  IT  people? 

The  most  sought-after 
[IT  pros]  continue  to  be  top- 
notch  developers  and  A++ 
players  on  the  developer 
side.  We  have  a  terrific  in- 
house  cultivation  and  educa¬ 
tion  program.  The  way  we 
structure  our  staff  is  a  matrix 
organization,  so  staffers  are 
teaching  and  learning  from 
one  another.  We  work  with 
key  universities  in  our  area 
and  beyond,  and  very  closely 
with  the  computer  science 
programs. 
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NEWSLETTER 


SAFEGUARDING  YOUR  SECURITY  AND  PRIVACY  AT  WORK  AND  AT  HOME 


From  the  editors  of  CSO  magazine,  Security  Smart  is 
a  quarterly  newsletter  ready  for  distribution  to  your 
employees— saving  you  precious  time  on  employee 
education!  The  compelling  content  combines 
personal  and  organization  safety  tips,  making  it 
applicable  to  many  facets  of  employees’  lives. 

Security  Smart  has  an  easy-to-read  design  and  clear, 
engaging  and  entertaining  articles  so  you  are  assured 
that  your  intended  audience  of  employees— your 
organization’s  most  valuable  assets— will  read  and 
retain  the  information.  Sign  up  today  to  start  having 
this  newsletter  distributed  as  a  key  tool  in  raising 
security  awareness  within  your  organization. 


Subscribe  today! 

To  view  a  sample  issue  of  the  newsletter,  learn 
about  the  delivery  options  and  to  subscribe  visit: 

www.SecuritySmart.com 


Security  Smart  is  published  by  CSO.  A  business  unit  of  IDG  Enterprise.  |  ©2015  CSO 
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Efficiency  on  the  Menu 


At  TGI  Fridays,  servers  use  tablets  to  zap  orders  to  the  kitchen 
while  still  interacting  with  diners  by  Stephanie  overby 


In  the  thin-margined  restaurant  industry,  companies  live  or  die  by  table  turnover  time.  Yet  the 
process  by  which  most  eateries  serve  their  customers  is  anything  but  efficient.  After  initially  greet¬ 
ing  diners  who  probably  aren’t  yet  ready  to  order,  waiters  and  waitresses  make  numerous  trips  back 
and  forth  between  the  their  assigned  tables  and  the  point-of-sale  (POS)  terminal— where,  during  a 
busy  shift,  their  fellow  servers  will  invariably  be  waiting  in  line  to  send  orders  to  the  kitchen.  The 
to-and-fro  takes  place  again  when  customers  are  ready  to  pay. 

TGI  Fridays  says  it  has  streamlined  that  process  with  mobile  technology.  The  casual  dining 
chain  is  equipping  wait  staff  with  8-in.  tablets  from  Oracle’s  recently  acquired  Micros  Systems  unit. 
Running  Microsoft’s  Windows  8.1  operating  system  and  Oracle’s  Micros  Restaurant  Enterprise 
Solution  software,  the  tablets  enable  servers  to  enter  orders,  process  payments  and  scan  discount 
codes  while  interacting  with  customers  tableside.  (TGI  Fridays  is  a  Microsoft  shop,  so  opting  ►  ► 


Mill 


8%  Americans  who  admit  they  often  or  always  text  or  email  while 


driving  (the  figure  is  17%  for  millennials).  USC  Annenberg  Center  for  the  Digital  Future 
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for  that  vendor’s  operating  system  enabled 
the  company  to  deploy  the  systems  quickly.) 

“We  wanted  to  make  it  easier  for  our  serv¬ 
ers  to  do  their  jobs  in  a  way  that  enhanced— 
not  detracted  from— the  customer  experience,” 
says  TGI  Fridays’  CIO  Tripp  Sessions. 

Fridays  introduced  more  than  200  tablets 
at  seven  restaurants  last  year.  It  took  one  or 
two  shifts  for  servers  to  get  up  to  speed,  but 
then  table  turnover  times  began  to  improve. 

No  longer  reliant  on  a  limited  number  of 
POS  stations,  servers  can,  for  example,  send 
a  drink  and  appetizer  order  to  the  kitchen 
while  interacting  with  guests.  They  can  also 
process  payments  on  the  tablets  and  offer 
electronic  receipts.  Less  wait¬ 
ing  means  happier  customers, 
as  evidenced  by  a  two-point 
increase  in  the  Net  Promoter 
Score  for  customer  satisfaction 
at  the  TGI  Fridays  locations 
with  tablets. 

There  have  been  benefits  for 
wait  staff,  too.  With  tablets  in 
hand,  the  company’s  best  serv¬ 
ers  can  handle  eight  tables  instead  of  four— which  can  mean 
double  the  tips.  Putting  the  best  servers  (those  most  skilled  in 
areas  such  as  upselling,  as  measured  by  an  algorithm  the  com¬ 
pany  developed)  has  increased  the  average  order  per  person, 
though  Sessions  declined  to  say  by  how  much. 

Executives  were  initially  concerned  that  an  increase  in 
throughput  would  overwhelm  the  kitchens.  But  the  cooking 
crews  benefit  as  well,  because  they  receive  orders  one  by  one 
while  servers  talk  to  customers,  instead  of  in  clumps  input  by 
staffers  lining  up  at  POS  stations. 

The  tablets  also  guide  servers  through  the  chain’s  workflow 
protocols,  cutting  the  time  it  takes  to  train  new  hires  in  half. 
“When  you  have  the  kind  of  [employee]  turnover  we  do  in  this 
industry,”  says  Sessions,  “that’s  big.” 

Fridays  planned  to  roll  out  another  2,600  tablets  at  81  res¬ 
taurants— or  about  half  of  its  company-owned  locations— in  the 
second  quarter  of  this  year.  Then,  says  Sessions,  it  will  begin 
pitching  the  benefits  to  franchisees.  “We’re  seeing  positive 
movement  in  all  the  metrics  we  hoped  to,”  he  says. 

Stephanie  Overby  is  a  freelance  writer  based  in  Massachusetts. 


AMERICANS  HAVE 

More  than  half  of  the  U.S.  workforce  is  using  data  on  the  job, 
and  nearly  8%  of  all  U.S.  jobs  are  considered  data-intensive. 


Degree  to 
which  U.S. 
jobs  involve 
analysis  and 
processing 
of  data: 


(59%  of  the  U.S.  workforce) 


(7.8%  of  U.S. 
workforce) 


Jobs  in  which 
data  is  at  least 
to 

the  work 

Jobs  in  which 
data  is  central 

to  the  work 


SOURC&ifhe  Importance  of  Data  Occupations  in  the  U.S.  Economy,"  U.S.  Department  of  Commerce, 
EconomjjS&nd  Statistics  Administration,  March  2015 


'We're  seeing 
positive 
movement  in 
all  the  metrics 
we  hoped  to." 

-Tripp  Sessions, 
CIO,  TGI  Fridays 


Outsourcing 
Not  Delivering 
IT  Innovation 

Companies  are  increasingly  taking  a  multi¬ 
sourcing  approach  to  IT  outsourcing,  signing 
shorter,  smaller  deals  with  a  mix  of  providers. 
At  the  same  time,  some  are  pulling  certain 
pieces  of  the  IT  portfolio  back  in-house. 

"As  you  get  into  the  second-  and  third- 
generation  renewals,  each  renewal  sees  a 
bit  more  work  being  sliced  off  and  taken  back 
in-house,"  says  Mike  Slavin,  managing  direc¬ 
tor  of  Alsbridge,  an  outsourcing  consultancy. 
"And  those  functions  being  repatriated  are 
often  related  to  innovation." 

Lack  of  IT  innovation  remains  one  of  the 
top  complaints  about  outsourcing.  Outsourc¬ 
ing  customers  say  that  providers  fail  to  bring 
any  new  ideas  to  the  table.  Providers  protest 
that  clients  don't  know  what  they  mean  by 
innovation  and  aren't  willing  to  pay  for  it.  And 
traditional  outsourcing  bidding  and  contrac¬ 
tual  processes  aren't  designed  to  drive  inno¬ 
vation-in  fact  they  thwart  it. 

Siavin  says  most  outsourcing  deals  are 
focused  on  cost  efficiencies  and  rarely  call  for, 
say,  an  innovation  committee  or  an  innova¬ 
tion  fund. 

-Stephanie  Overby 
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U.S.  online  shoppers  who  make  e-commerce  purchases  from 
merchants  outside  the  U.S.  at  least  every  few  months.  FedEx/Forrester  ••••••••••••• 
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CROSSING  THE  CHASM  FROM  IT  TO 

NEW  RESEARCH  REVEALS  THAT  MOST  ORGANIZATIONS 
PURSUING  DIGITAL  TRANSFORMATION  ARE  EMPHASIZING 
EFFICIENCY  RATHER  THAN  GROWTH  AND  POINTS  TO  FIVE 
STEPS  YOU  CAN  TAKE  TO  REALIZE  TRANSFORMATION'S 
POTENTIALLY  EXPONENTIAL  IMPACT  ON  REVENUE  GROWTH. 

Around  the  world,  companies  that  have  seized  the  opportunities 
presented  by  technologies  such  as  analytics,  mobile,  social  and 
cloud  are  creating  innovative  new  services,  collecting  double¬ 
digit  revenue  gains  and  radically  reducing  operating  expenses. 

Despite  its  significant  potential  to  generate  new  revenue, 
however,  most  organizations  are  focusing  initial  digital  trans¬ 
formation  efforts  chiefly  on  IT  operating  efficiencies,  according 
to  a  new  survey  from  IDG  Research.  To  achieve  the  dramatic 
growth  digital  transformation  makes  possible,  businesses 
must  think  bigger,  bolder  and  more  strategically. 

"Digital  transformation  is  a  powerful  business  enabler  that  can 
do  much  more  than  increase  efficiency,"  says  Raman  Sapra, 
executive  director  and  global  head  of  Dell  Digital  Business 
Services.  "It  disrupts  business  models,  generates  new 
revenue  opportunities  and  enhances  customer  and  employee 
engagement." 

Encouragingly,  the  new  study  shows  that  decision-makers 
fully  appreciate  digital  transformation's  benefits.  Nearly  eight 
in  10  respondents  are  currently  making  moderate  or  signifi¬ 
cant  investments  in  mobile  technology,  and  76  percent  are 
spending  similarly  on  analytics. 

Moreover,  those  investments  are  helping  companies  stream¬ 
line  IT  processes:  48  percent  of  survey  respondents  said  IT 
has  seen  the  most  progress  to  date. 


TOTAL  BASE:  166;  Q7.  IN  WHICH  OF  THE  FOLLOWING  AREAS  HAS  YOUR 
ORGANIZATION  MADE  THE  MOST  PROGRESS  TO-DATE  IN  TERMS  OF  ITS 
ABILITY  TO  TRANSFORM  AND  IMPLEMENT  A  "DIGITAL-FIRST"  APPROACH? 


Progress  beyond  IT  has  been  slower,  however.  For  example, 
although  40  percent  of  survey  participants  have  made  opera¬ 
tions  an  initial  digital  transformation  focus,  only  27  percent 
reported  significant  headway.  Additionally,  just  20  percent  of 
respondents  called  sales  an  early  transformation  focus. 

Companies  eager  to  take  digital  transformation  to  the  next 
level  should  consider  five  important  steps: 

1.  Get  strong  commitment  from  the  C-suite. 

The  sweeping  changes  associated  with  digital  transforma¬ 
tion  require  active,  wholehearted  support  from  CEOs  and  the 
entire  C-suite. 

2.  Appoint  a  chief  digital  officer. 

A  good  CDO  can  drive  a  comprehensive  digital  transformation 
strategy  designed  to  achieve  business  objectives. 

3.  Shift  the  core  focus  to  driving  business  growth. 

To  capitalize  fully  on  digital  transformation's  explosive  reve¬ 
nue-generating  power,  businesses  must  re-envision  not  just  IT 
but  marketing,  sales,  operations  and  finance  as  well. 

4.  Manage  change  carefully. 

Companies  must  help  employees  understand  what's  changing 
and  why  and  then  provide  the  tools  and  training  needed  to 
make  those  changes  effectively. 

5.  Partner  with  a  proven  digital  transformation  expert. 

A  partner  that  has  deep  industry  expertise  and  offers  digital 
business  consulting  in  addition  to  digital  technology  execu¬ 
tion  capabilities  can  help  you  benchmark  your  digital  maturity, 
envision  possibilities  and  implement  best  practices. 

"Digital  transformation  leaders  should  prioritize  investments  in 
a  comprehensive  digital  strategy  covering  all  aspects  of  their 
business,  including  marketing,  sales,  operations  and  finance," 
Sapra  says.  "Changing  course  effectively  means  overcoming  an 
often  entrenched  status  quo  and  imagining  new  possibilities." 

Go  to  Dell.com/CrossingTheDigitalChasm  to  obtain  a  free 
download  of  the  full  "Digital  Transformation:  Crossing  the 
Chasm  from  IT  to  the  Business"  white  paper. 
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Dialogue,  Not  Sales  Pitches 

A  vendor's  customer  advisory  board  can  be  a  great  venue  to  provide  feedback 
about  IT  products,  but  only  if  you  get  a  chance  to  speak  by  eyal  danon 


After  45  minutes  of  sitting  in  a  vendor’s 
customer  advisory  board  meeting,  listening 
to  the  CEO  deliver  his  standard  strategy  and 
road  map  presentation  uninterrupted,  the 
CIO  of  a  major  retailer  had  heard  enough. 
“I  have  already  seen  this  presentation;  it’s 
on  the  investor  relations  section  of  your 
website,”  he  interjected  to  the  somewhat 
stunned  CEO.  “You  spent  a  lot  of  effort  and 
money  to  get  me  and  my  colleagues  all  here. 

What  advice  are  you  looking  for  from  us?” 

After  a  bit  more  discussion,  the  CEO 
finally  got  it.  He  realized  council  members 
weren’t  there  merely  to  be  another  passive 
audience  that  would  quietly  listen  as  he 
discussed  his  plans;  instead  this  was  an  all- 
too-rare  opportunity  to  gather  customers’ 
views  on  the  complicated  challenges— and 
often-messy  trade-offs— he  and  his  company  faced.  The 
meeting  agenda  was  hastily  changed,  and  the  rest  of  the 
day  was  insightful  and  beneficial  for  everyone. 

Unfortunately,  the  CEO-drones-on  scenario  can  be 
quite  common.  However,  when  properly  established  and 
operated,  customer  advisory  boards  can  benefit  all  partici¬ 
pants— especially  member  CIOs. 

Customer  advisory  boards  should  be  a  forum  for 
reviewing  industry  trends,  addressing  mutual  challenges 
or  opportunities,  and  offering  unvarnished  insights  and 
guidance.  For  the  vendors,  these  councils  are  ideal  for 
validating  corporate  strategies,  gathering  input  on  prod¬ 
uct  development  and  deepening  relationships  with  key 
customers. 

However,  the  participating  customers  have  just  as 
much— if  not  more— to  gain. 

First,  by  participating  on  advisory  boards,  CIOs  can 
get  firsthand  insight  into  a  vendor’s  road  map,  provide 
feedback  directly  to  the  product  management  and  support 
teams,  and  ask  for  capabilities  that  would  help  their  own 
organizations.  In  addition,  vendors  often  select  beta  users 


from  their  advisory  boards,  enabling  participating  CIOs  to 
test-drive  the  latest  products  and  provide  feedback. 

Perhaps  more  important,  while  participating  on  such 
boards,  CIOs  can  discover  best  practices  from  peers  who 
have  faced  and  overcome  similar  challenges.  The  network¬ 
ing  with  peers  also  could  lead  to  personal 
and  professional  growth  opportunities. 

But  for  all  the  potential  benefits  to  CIOs, 
advisory  councils,  if  poorly  run,  can  waste 
your  valuable  time.  Thus,  there  are  some 
red  flags  to  watch  for. 

If  your  vendor  is  hell-bent  on  self-serv¬ 
ing  product  demos  or  sales  pitches,  run. 
We  recommend  the  80/20  rule:  Customers 
do  80  percent  of  the  talking,  vendors  only 
20  percent. 

Advisory  boards  should  be  a  collection 
of  your  peers,  so  another  red  flag  would 
be  if  the  board  members  are  a  mix  of  people  of  varying 
levels  of  responsibility,  not  just  CIOs.  Another  big  prob¬ 
lem  is  if  your  vendor  doesn’t  seem  to  be  listening  to  the 
customer  feedback— i.e.,  it  isn’t  implementing  any  rec¬ 
ommended  direction  or  following  up  with  agreed-upon 
action  items.  Finally,  advisory  boards  should  be  part  of 
an  ongoing,  multiyear  discussion,  so  be  concerned  if  the 
company  doesn’t  have  a  plan  for  continuing  engagement 
or,  worse,  you  haven’t  heard  anything  since  the  last  meet¬ 
ing  six  months  ago. 

Like  many  things  in  life,  when  it  comes  to  customer 
advisory  boards,  the  more  you  put  in,  the  more  you’ll  get 
out.  When  properly  managed,  advisory  councils  present 
a  great  opportunity  for  CIOs  and  host  companies,  with 
benefits  that  can  vastly  outweigh  the  potential  negatives. 

Understanding  this  should  keep  any  CEO  from  deliver¬ 
ing  uninterrupted  45-minute  talks  to  rooms  full  of  CIOs. 


Eyal  Danon  is  president  and  founder  of  Ignite  Advisory  Group,  a 
consultancy  that  helps  B2B  companies  manage  customer  and 
partner  advisory  board  programs. 


If  your  vendor 
is  hell-bent 
on  demos  and 
sales  pitches, 
run.  Customers 
should  do  80 
percent  of  the 
talking,  vendors 
only  20  percent. 


MAY  1,  2015  www.cio.com 


c 

> 


Navigate  your  way  to 
the  3rd  Platform  with 
IDC  DecisionScapes 


9 

Explore 

Understand  Busin^« 
Requirements 
Technology  Op 


IDC  FutureScape 


IDCTechScape 
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Sweeten  the  Pot 

CIOs  competing  in  the  talent  wars  must  offer  the  right  mix 
of  compensation  and  enticements  by  mary  k.  pratt 


CIOs  worried  about  getting  and  keeping  top  talent  may  have  to  boost  pay.  The  No.  1  reason  good 
employees  quit  is  dissatisfaction  over  compensation,  according  to  a  recent  survey  by  staffing  firm 
Robert  Half  International. 

But  before  handing  out  massive  raises,  you  might  want  to  take  a  more  nuanced  look  at  job  satis¬ 
faction.  Veteran  CIOs  agree  that  pay  is  important,  but  while  some  contend  that  money  is  paramount, 
others  say  there  are  factors  beyond  cash  that  motivate  individuals. 

Charles  Galda,  CIO  of  Technology  Centers  and  Services  at  GE  Capital,  says  a  sense  of  mission 
matters  to  IT  professionals.  “When  it  comes  to  retaining  high-performing,  skilled  talent,  employees 
want  to  feel  connected  to  a  broader  purpose,  feel  the  impact  and  reward  from  their  work  and  feel 
immersed  in  exciting  technologies  and  innovative  business  models,”  Galda  says.  ►  ► 
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Manufacturing  is  changing  at  record  speed.  To  keep  up,  over  400  forward-thinking  companies  run 
their  manufacturing  operations  with  the  Plex  Manufacturing  Cloud.  Unlike  on-premise  systems,  Plex 
continuously  improves  to  address  current  and  future  challenges.  It’s  always  flexible,  always  current, 
and  the  best  way  for  a  manufacturer  to  be  ready  for  what’s  to  come.  PLEX.COM 
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THE  MANUFACTURING  CLOUD 


A  manufacturing  cloud  that  helps 
you  improve  every  tiny  detail. 

It’s  what’s  next. 
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Still,  compensation  is  “almost  always  No.  1”  for  recruit¬ 
ing  and  retaining  IT  talent,  says  John  Reed,  senior  execu¬ 
tive  director  of  Robert  Half  Technology,  the  IT  staffing 
arm  of  Robert  Half  International.  All  things  being  equal, 
a  worker  will  jump  for  a  job  that  offers  even  just  a  little 
more  money,  he  says.  The  pressure  is  on  CIOs  to  pony  up. 

Charles  Christian,  vice  president  and  CIO  at  St.  Fran¬ 
cis  Hospital  in  Columbus,  Ga.,  says  he  has  lost  candi¬ 
dates  because  he  couldn’t  provide  the  pay  they  wanted. 
He  tries  to  counter  that  by  delivering  sweeteners  such 
as  job  stability  and  flexible  schedules. 

Like  most  employers  in  healthcare,  St.  Francis  Hospi¬ 
tal  isn’t  on  the  high  end  of  the  IT  pay  scale,  says  Christian, 
who  is  also  chairman  of  the  College  of  Healthcare  Infor¬ 
mation  Management  Executives  board.  He  estimates 
that  cash  compensation  for  IT  professionals  at  his  orga¬ 
nization  is  about  75  percent  of  market  rates. 

The  nonfinancial  benefits  of  working  at  the  hospital 
help  keep  turnover  among  the  65-member  IT  staff  at  less 
than  5  percent,  but  Christian  acknowledges  that  he  still 
has  to  occasionally  bump  up  the  salaries  offered  to  job 
candidates.  “There  were  times  we’d  bend  the  pay  scale 
because  someone  has  a  skill  we  needed,”  he  says. 


Keeping  Turnover  Low 

James  Knight,  global  CIO  at  Chubb,  a  major  property 
and  casualty  insurance  company,  says  companies  don’t 
have  to  offer  top-of-the-scale  pay  to  get  and  keep  top 
talent.  Knight,  a  member  of  the  Society  for  Information 
Management’s  Advanced  Practices  Council,  says  pay  for 
his  1,300  IT  employees  is  generally  between  50  percent 
and  70  percent  of  market  rates. 

“There  are  definitely  extremely  talented  people  who 
could  work  elsewhere  for  more  money,  but  they’re  not 
leaving,”  he  says,  noting  that  turnover  is  less  than  3 
percent  because  Chubb  offers  other  important  benefits— 
challenging  work,  recognition,  flexibility  and  bonuses. 

Shafiq  Rab,  CIO  at  Hackensack  University  Medical 
Center,  says  that  if  compensation  is  within  $15,000  of 
market  rates,  an  employee’s  relationship  with  direct 
managers  is  the  main  factor  in  retention— pay  is  second. 

To  illustrate  his  point,  he  recalls  an  incident  involv¬ 
ing  an  employee  who  was  ready  to  resign  because  she 
felt  she  didn’t  receive  the  pay  or  management  attention 
required  for  her  position.  After  reviewing  the  situation, 
Rab  and  the  employee’s  manager  decided  that  they 
agreed  with  her  and  chose  to  bump  up  her  pay  and  the 
time  she  spent  with  the  manager.  She  opted  to  stay. 

“We  gave  her  what  was  fair,”  he  says,  “and  because 
we  had  the  right  relationship,  we  could  do  right  by  her.” 


Mary  K.  Pratt  is  a  freelance  writer  based  in  Massachusetts. 


WINDOWS  10 


1THIS  IS  A  DO-OVER.  CIOs  were  repelled  by  Windows 
8's  radically  different,  touchscreen-optimized  user 
interface,  and  by  its  alternate  desktop  interface,  which 
lacked  familiar  features  such  as  the  Start  button. 
"History  shows  that  Microsoft  over-rotated  on  touch  and 
distanced  itself  from  traditional  PC  users  who  need,  at  least 
some  of  the  time,  a  good  keyboard-and-mouse  experience," 
says  I  DC  analyst  Al  Gillen.  "The  focus  in  Windows  10  is  to  re¬ 
balance  the  experiences  such  that  commercial  customers  will 
see  value  in  Windows  10  that  they  did  not  see  in  Windows  8." 
Many  companies  clung  to  Windows  7  and  skipped  Windows 
8,  including  health  club  chain  L.A.  Fitness.  "It  was  too  much 
of  a  change  from  what  people  are  used  to,"  says  CIO  George 
Bedar.  With  Windows  10,  the  traditional  desktop  Ul  is  more 
like  Windows  7,  and  the  touch  Ul  is  more  intuitive. 


2  SECURITY  IS  IMPROVED.  Windows  10  will  have 
native  two-factor  authentication,  plus  data  loss 
prevention  technology  that  distinguishes  between 
personal  and  corporate  data-and  protects  the  latter 
using  "containment."  Sensitive  information  will  be  automati¬ 
cally  encrypted,  and  IT  managers  will  be  able  to  establish 
policies  that  control  which  apps  can  access  corporate  data. 


3  IT  WORKS  ON  MULTIPLE  PLATFORMS. 

Windows  10  is  the  first  version  of  Windows  with  a 
unified  code  base  and  APIs,  so  apps  built  for  it  can 
run  (with  minor  modifications)  on  various  devices 
supported  by  the  operating  system,  including  smartphones, 
tablets,  laptops  and  desktop  PCs.  IDC's  Gillen  calls  the  uni¬ 
versal  app  platform  "perhaps  the  most  important  technology 
included  in  Windows  10." 


4 THERE  ARE  SOME  SURPRISES.  The  new  operating 
system  has  some  glitzy  features,  such  as  hologram 
technology  that  lets  developers  create  3D  apps;  Cor- 
tana  (Microsoft's  answer  to  Siri)  for  voice  commands; 
and  a  new  browser  that  will  be  designed  to  work  across  differ¬ 
ent  Windows  10  devices  and  will  be  kept  constantly  updated. 


5 DUE  DILIGENCE  IS  STILL  REQUIRED.  Early  reviews 
of  Windows  10  preview  versions  have  been  mostly 
positive,  but  CIOs  should  test  the  operating  system  to 
make  sure  it's  stable  and  to  see  how  it  performs  with 
their  software  and  hardware.  "We  think  it  will  be  vital  for  CIOs 
to  familiarize  themselves  with  Windows  10,"  says  Forrester 
Research  analyst  David  Johnson.  "Unlike  Windows  8  and  8.1, 
[Windows  10]  will  be  adopted  as  an  enterprise  IT  standard." 
At  L.A.  Fitness,  IT  has  been  testing  Windows  10  and  hasn't 
identified  any  concerns,  but  Bedar  isn't  taking  any  chances. 
He  says  it  won't  be  rolled  out  until  Microsoft  issues  the  first 
service  pack  update.  -Juan  Carlos  Perez 
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The  Evolution  of  the  WAN 
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How  do  you  see  the  WAN  evolving  today 
and  what  are  some  of  the  key  trends? 

Applications  delivered  from  the  cloud  and 
centralized  voice  services  expose  the  need  for 
100%  WAN  uptime,  while  business  use  of  video  is 
forcing  costly  bandwidth  upgrades. 

The  WAN  is  evolving  through  a  diversification 
of  network  options.  Broadband  and  mobile 
Internet  are  emerging  as  feasible  alternatives 
to  MPLS  technology,  compelling  enterprises  to 
evaluate  their  potential.  These  alternatives  bring 
a  multitude  of  choice  in  speed,  reach,  reliability 
and  cost  to  an  otherwise  single,  high-quality 
offering  menu  of  MPLS. 

What  technology  and  business  factors 
are  driving  this  evolution? 

IT  and  business  leaders  now  recognize  that 
organizations  don't  have  to  build  and  operate 
everything  internally.  They  are  turning  to 
infrastructure  as  a  service  (laaS)  for  cost  and 
capacity  flexibility. 

Applications  are  driving  this  evolution. 

IT  leaders  are  looking  at  time,  cost,  and 
infrastructure— how  quickly  a  new  application 
can  be  made  available  to  internal  users,  the 
cost  of  delivery,  and  how  the  application  can 
be  adopted  without  changing  the  existing 
infrastructure.  The  cloud-based  model  provides  a 
more  efficient  and  flexible  way  to  tackle  business 
requirements  than  in-house  development, 
while  addressing  quality-of-service  and  cost 
requirements  without  compromising  security. 

When  you  speak  with  technology  leaders, 
what  do  they  identify  as  key  network 
pain  points  and  why? 

The  three  pain  points  are  flexibility,  cost,  and 
reliability.  First,  greater  flexibility  is  required 
to  serve  these  new  apps  and  how  they  are 
consumed.  The  apps  may  be  in  an  enterprise 
data  center,  on  a  private  cloud,  or  in  public 
cloud  services.  Users  may  be  in  urban  branch 
locations  where  bandwidth  may  be  plentiful 
but  not  consistent,  while  others  in  suburban  or 
remote  branches  may  be  starving  for  bandwidth. 


All  permutations  of  where  the  applications  are 
produced,  and  the  locations  where  they  are 
consumed,  needs  to  be  easily  served  via  a 
flexible  network. 

Second,  there's  the  cost  of  network  capacity, 
especially  when  users  access  apps  from  branch 
locations,  or  use  video-based  products  and 
technical  training  at  work.  For  a  large  enterprise, 
every  $1,000  of  monthly  network  spend  is 
multiplied  by  100's  of  locations,  capturing  the 
attention  of  the  company  CFO,  who  demands 
the  rationale  for  additional  network  spend. 

Third,  greater  reliability  is  required  because 
with  cloud  based  apps,  Voice-over-IP  or 
transactional  services,  the  network  must  always 
be  available.  Technology  leaders  know  that  a 
successful  IT  operation  is  when  the  network  is 
running  at  all  times,  delivering  the  applications 
that  the  business  depends  on. 

How  does  Citrix  meet  customer  application 
and  service  delivery  requirements  and 
what  are  the  key  differentiators? 

At  Citrix,  we  recognize  the  application  evolution 
to  the  cloud  and  we  are  at  the  forefront  of 
delivering  workspaces  of  applications  as  a 
service.  We  understand  the  pain  points  that 
technology  leaders  are  identifying  and  we  are 
evolving  our  delivery  networking  products 
to  address  these  needs.  For  example,  the 
CloudBridge  InfiniWAN  solution  allows 
enterprises  to  use  WAN  virtualization  technology 
to  blend  different  networks— MPLS,  broadband 
internet,  mobile  Internet  (4G/LTE)  and  satellite — 
to  create  a  unified  network  that  offers  more 
bandwidth  and  reliability,  while  reducing  costs. 
Because  we  virtualized  these  networks,  we  can 
deliver  WAN  capacity  that  is  not  dependent  on 
a  single  network  technology,  with  a  higher  level 
of  reliability.  For  example,  a  decision  can  be 
made  quickly  about  which  underlying  network 
to  use  for  an  application,  verify  immediately 
whether  a  network  has  failed,  and  in  as  little 
as  10  milliseconds,  make  the  appropriate  change 
to  ensure  quality  of  service,  with  no  interruptions 
to  applications  or  voice  calls. 
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Moving  From  No  to  Yes  on  Dropbox 

A  healthcare  CIO  reverses  course  and  lets  doctors  use  the  cloud  service, 
but  only  with  a  layer  of  data  encryption  for  security  by  bob  violino 


When  CIO  Gerry  Moore  joined  St. 
James  Hospital  Group  last  year,  the 
staff  and  doctors— who  increasingly 
work  with  mobile  devices— wanted  to 
use  Dropbox,  a  popular,  cloud-based 
storage  tool  often  used  for  file  sharing. 
Moore  denied  the  requests  because  of 
security  and  compliance  concerns. 

Physicians  and  hospital  depart¬ 
ments  wanted  Dropbox  so  they  could 
quickly  share  medical  reports  and 
results,  but  the  hospital  group  “could 
not  implement  a  solution  that  would 
put  a  patient’s  data  at  risk  in  any  way, 
shape  or  form,”  Moore  says. 

St.  James  Hospital  Group,  which 
has  hospitals  in  Malta,  Hungary  and 
Libya,  is  greatly  concerned  about 
ensuring  data  privacy  and  security, 
but  it  also  needed  a  way  to  speed  up 
collaboration  and  workflows. 

So  in  July  2014  the  organization 
began  its  search  for  technology  to 
deliver  certain  patient  information 
to  general  practitioners  (GP)  without 


putting  the  information  at  risk.  The 
hospital  group  selected  a  product 
from  Sookasa  that  adds  data-protect- 
ing  encryption  to  Dropbox.  The  orga¬ 
nization  has  deployed  the  combo  in  its 
radiology  departments,  and  plans  to 
implement  it  in  specialty  areas  such 
as  the  oncology,  endoscopy,  maternity, 
psychology  and  urgent  care  units. 

“The  plan  is  to  roll  out  this  func¬ 
tionality  to  every  department  that 
gets  referrals  or  that  interacts  with 
patients  who  have  a  GP  who  would 
require  documents  for  his  own 
records,”  Moore  says. 

Prior  to  the  implementation,  “we 
would  have  sent  out  radiology  reports 
via  [mail]  and  the  patient  would  have 
to  wait  until  the  GP  had  the  record  in 
hand  and  had  reviewed  it  before  dis¬ 
cussing  the  result  with  them,”  Moore 
says.  “Now  the  GP  is  receiving  the 
records  within  hours  of  a  diagnostic 
scan  being  carried  out  and  can  see  the 
patient  the  next  day  or  even  the  same 


day,”  Moore  says.  “This  provides  mas¬ 
sive  benefits  to  the  patients,  as  they 
receive  care  much  faster  and  have  less 
time  to  stress  themselves  out.” 

Another  result:  “We  are  gaining 
an  even  better  reputation  for  being 
efficient,”  Moore  says. 

There’s  growing  demand  for 
products  like  Sookasa  that  protect 
confidential  information,  says  David 
Monahan,  a  security  analyst  at 
Enterprise  Management  Associates. 
“Services  like  Dropbox,  Box,  Google 
Drive  and  others  are  still  growing  in 
popularity,”  Monahan  says.  “The  abil¬ 
ity  to  share  data  across  the  cloud  in  a 
frictionless  manner  is  highly  desired. 
However,  the  more  frictionless  the 
less  secure.  People  often  do  not  think 
about  the  ramifications  of  sharing 
data,  especially  when  it  comes  to  what 
happens  to  it  once  they  let  it  go.” 


Bob  Violino  is  a  freelance  writer  based  in 
New  York. 


Federal  CIOs  Demand  Superior  Cloud  Reliability 


When  government  agencies  go  shopping  for  a  cloud  services  pro¬ 
vider,  they  have  zero  tolerance  for  downtime. 

In  a  recent  panel  discussion,  federal  IT  officials  said  they  expect 
vendors  to  include  strong  performance  guarantees  and  offer 
reliability  that  is  at  least  on  par  with  what  their  organizations 
could  achieve  on  their  own.  'The  incentive  for  us  is  to  stay  up  100 
percent  of  the  time,  because  we  provide  99.99  percent  internally," 
Pamela  Dyson,  CIO  at  the  Securities  and  Exchange  Commission, 
said  at  an  event  hosted  by  Federal  News  Radio. 

Dyson  said  the  SEC  is  very  cautious  about  turning  over  sensi¬ 
tive  information  and  applications  to  vendors.  And  while  she  did 
acknowledge  that  public  data,  like  the  corporate  filings  the  agency 
collects  through  its  EDGAR  system,  is  now  kept  in  the  cloud,  she 
noted  that  the  SEC's  contracts  with  the  vendors  that  provide  that 
service  carry  the  expectation  of  zero  downtime. 

"It's  about  collecting  money.  There  are  fees  associated  with  fil¬ 


ing.  If  our  systems  are  down  during  a  period  of  time,  people  can't 
file.  We  lose  money,  and  someone  from  Capitol  Hill  will  call  me  and 
ask  me  to  come  up  and  talk  to  them  about  why,"  Dyson  said. 

Andre  Mendes,  director  of  global  operations  at  the  Broadcasting 
Board  of  Governors,  said  his  agency  relies  on  a  content  delivery 
provider  to  stream  high-definition  broadcasts  to  places  such  as 
China,  Cuba  and  Vietnam.  He  credits  cloud  providers  with  improv¬ 
ing  service  in  recent  years,  but  he  cautioned  vendors  against  tout¬ 
ing  contract  provisions  that  promise  partial  refunds  in  the  event  of 
service  outages  as  a  selling  point. 

A  refund  is  of  little  comfort  when  an  agency  that  requires 
always-on  connectivity  is  knocked  offline,  according  to  Mendes. 

"If  I'm  off  the  air  for  10  minutes  on  a  critical  broadcast  into  China 
or  Russia,  do  I  really  care  about  that  $15,000  that  you're  going  to 
give  me  because  that  link  was  down?"  he  asked.  "It  doesn't  matter 
one  bit  to  me.  I  want  100  percent."  -Kenneth  Corbin 
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BOARDS  ON  CYBER 


When  Anthem  revealed  in  early  February  that 
hackers  had  breached  a  database  containing  the  per¬ 
sonal  information  on  80  million  of  its  customers  and 
employees,  the  news  hit  a  little  too  close  to  home  for  Gary 
Scholten,  executive  vice  president  and  CIO  of  Principal 
Financial  Group.  His  first  order  of  business  that  day  was 
to  gather  all  the  information  he  could  to  reassure  his 
board  of  directors  that  the  financial  services  provider 
did  not  have  similar  vulnerabilities. 

He  contacted  the  industry’s  Financial  Services  Information  Sharing 
and  Analysis  Center  to  get  detailed  intelligence  on  the  exact  nature  of  what 
Anthem  publicly  called  a  “very  sophisticated  external  cyber  attack”  and  was 
able  to  assure  his  board  members  that  Principal’s  customer  and  employee 
data  was  not  at  risk  from  the  type  of  attack  launched  against  Anthem. 

Anthem  is  one  of  the  nation’s  largest  health  insurers.  Because  of  the  size 
of  its  breach,  the  industry  in  which  it  occurred  and  the  media  attention  it 
received,  Scholten  wanted  to  get  ahead  of  the  questions  that  Principal’s 
directors  might  ask.  “Cybersecurity  is  a  huge  priority  for  them  because 
the  service  we  provide  is  so  reputation-based,”  says  Scholten.  “It’s  a  top- 
of-mind  board  issue.” 


Fear of 
cyberattacks 
has  corporate 
directors 
on  edge. 
CIOs  must 
steer the 
conversation 
toward 
managing 
business  risk. 

BY  STEPHANIE  OVERBY 
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Scott  Angelo,  CIO  of  K&L  Gates,  was  in  Miami  for  the 
annual  meeting  of  the  law  firm’s  management  committee  (a 
private  company’s  version  of  a  board)  when  the  Anthem  news 
hit.  “They  wake  up,  and  the  first  thing  they  want  to  know  about 
is  Anthem,”  says  Gates,  who  was  hired  three  years  ago  spe¬ 
cifically  to  strengthen  the  firm’s  cybersecurity  stance.  “They’re 
inundated  with  all  this  information  that’s  out  there.” 

The  Anthem  breach  was  just  the  latest  in  a  string  of  cyberse¬ 
curity  incidents  that  have  occurred  over  the  past  couple  of  years 
(you  know  the  litany  of  contretemps:  Target,  Home  Depot,  Sony 
Pictures,  JPMorgan  Chase  and  so  on).  And  corporate  boards  are 
on  high  alert.  Cybersecurity  is  “in  the  press  every  day,”  says  Peter 
Gleason,  president  of  the  National  Association  of  Corporate  Direc¬ 
tors  (NACD).  “It’s  the  foremost  issue  on  directors’  minds  right 
now  because  it’s  tied  into  the  risk  structure  of  the  organization.” 

Cybersecurity  oversight 
is  the  second  most  important 
topic  for  boards  in  2015— just 
behind  strategic  planning- 
according  to  law  firm  Akin 
Gump  Strauss  Hauer  &  Feld. 

“It’s  not  just  financial  services 
firms  or  regulated  compa¬ 
nies— everyone  is  interested 
now,”  says  Kimberly  Peretti, 
partner  and  co-chair  of  the 
security  incident  manage¬ 
ment  and  response  team  at 
law  firm  Alston  &  Bird. 

In  2014, 42.8  million  secu¬ 
rity  incidents  were  detected, 
a  48  percent  increase  over 
the  previous  year,  accord¬ 
ing  to  PricewaterhouseC- 
oopers.  The  average  size  of 
the  financial  hits  attributed 
to  those  incidents  was  $2.7 
million,  and  the  number  of 
organizations  reporting  inci¬ 
dent-related  losses  of  more 
than  $20  million  increased 
92  percent  last  year,  PwC 
reports.  But  the  true  cost  may 
never  be  known.  As  many  as 
71  percent  of  compromise  vic¬ 
tims  did  not  detect  the  breach 
themselves,  according  to  a 
2014  report  by  cybersecurity 
firm  Trustwave. 

Yet  board  members  com¬ 
plain  that  they’re  not  getting 
the  right  information.  More  than  one-third  of  them  are  dis¬ 
satisfied  with  the  quality  of  information  they  get  regarding 
cybersecurity  risk,  and  more  than  half  are  unhappy  with  the 
quantity  of  information  provided,  according  to  a  NACD  survey 
of  1,013  public  companies. 

There’s  a  positive  correlation  between  how  much  the  board 


is  engaged  with  cybersecurity  issues  and  the  strength  of  IT 
security  profiles,  according  to  a  study  by  business  risk  con¬ 
sultancy  Protiviti.  That’s  why  CIOs  like  Scholten  and  Angelo 
are  focused  on  effective  communication  with  their  boards.  By 
providing  corporate  directors  with  meaningful  intelligence  on 
a  regular  basis,  savvy  CIOs  and  CISOs  not  only  educate  their 
boards  about  the  issues  they  should  focus  on  as  they  oversee 
security-related  initiatives;  they  also  garner  high-level  support 
for  building  robust  security  systems  and  adopting  processes 
and  policies  necessary  to  protect  corporate  data. 

Defining  the  THREAT 

Keith  Turpin  joined  Universal  Weather  and  Aviation  as  CISO 
last  summer  to  revamp  the  security  program.  Historically, 
cybersecurity  had  been  all  but  ignored  by  the  board  of  the 

international  flight  planning 
and  support  services  pro¬ 
vider.  “My  job  was  to  come  in 
and  build  a  strategy  to  take  to 
the  board  and  get  the  support 
that  would  allow  the  program 
to  be  successful,”  says  Turpin. 

Explaining  IT  security  to 
a  nontechnical  audience  was 
going  to  be  a  challenge.  “I’ve 
seen  people  go  into  board 
meetings  with  a  network 
diagram,”  says  Turpin.  “You 
might  as  well  be  showing 
them  a  crop  circle.” 

So  Turpin  turned  to  his 
background  in  physical 
security.  He  built  a  small 
door  and  fitted  it  with  sev¬ 
eral  seemingly  secure  locks. 
He  asked  the  directors  in  the 
room  if  they  thought  the  door 
was  protected.  “They  looked 
at  me  like  I  was  crazy,”  Tur¬ 
pin  recalls.  But  he  explained 
to  them,  as  he  exploited  the 
critical  flaw  in  each  of  the 
locking  mechanisms  in  less 
than  a  minute,  that  while  the 
door  looked  well  protected,  it 
was  vulnerable.  Cybersecu¬ 
rity,  he  said,  was  about  hav¬ 
ing  the  right  controls  in  place 
to  protect  the  company’s  data 
should  an  IT  vulnerabil¬ 
ity— of  which  there  are  thou¬ 
sands— be  exploited.  He  then  presented  the  board  with  a  risk 
assessment  forecast  and  a  security  strategy.  “[But]  the  thing 
they  still  remember  was  that  door,”  he  says. 

“You  can’t  go  in  there  and  tell  them  about  the  ISO  27000 
standard.  That’s  not  an  effective  message,”  Turpin  says.  “You 
have  to  boil  it  down  to  the  core  business  risks  for  your  com- 


Educating  the  Board 

Tips  for  doing  your  homework  and 
then  teaching  the  board  of  directors 
aboutthe  latest  security  threats 


1  Conduct  an  enterprise  risk  analysis  and  create  a 
baseline  cybersecurity  profile.  Focus  on  what  the 
company's  crown  jewels  are  and  the  steps  you  are  taking 
to  protect  them. 


2  Enlist  reputable  third  parties  to  provide  the  board 
with  an  outside  assessment  of  your  company's  IT 
risk  profile. 


Make  sure  that  board  members  understand  IT's 
incident  response  plan  and  their  role  in  it. 


Use  standard  frameworks  to  bolster  IT's  credibility 
1  with  the  board. 


■  Involve  other  executives-particularly  the  CEO-in 
your  efforts  to  discuss  cybersecurity  with  the  board, 


6  Keep  abreast  of  emerging  best  practices,  regulatory 
expectations  and  standards, 

7  Offer  ongoing  education  and  training  for  board  mem¬ 
bers  and  executives  on  key  issues  and  new  threats. 

8  Ask  board  members  if  they  think  they're  getting  the 
kind  of  information  they  need  to  oversee  cybersecu¬ 
rity  investments.  Make  adjustments  based  on  their  input. 

-SO. 
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pany:  What  could  have  the  most  significant 
impact  on  our  revenue  stream?”  Once  the 
board  understands  the  fundamentals,  it’s 
easier  to  update  them  on  the  impact  of 
security  investments  and  address  issues 
as  they  arise,  he  explains.  After  that  first 
meeting,  the  board  quickly  approved  Tur¬ 
pin’s  proposed  IT  security  budget;  the  COO 
even  asked  if  he  needed  more  money. 

“Boards  need  education  first  and  fore¬ 
most  to  get  them  up  to  speed  on  the  criti¬ 
cal  issues:  What  lexicon  they  should  use, 
where  they  need  to  spend  money,  when 
they  need  to  buy  insurance,”  says  Gleason  of  the  NACD.  “They 
need  fulsome  reporting  to  get  their  hands  around  it  because  it’s 
not  something  they  manage  every  day.” 

In  2011,  K&L  Gates  chairman  and  managing  partner  Peter 
Kalis  worried  that  the  law  firm— which  has  access  to  the  corpo¬ 
rate  secrets  of  thousands  of  companies— could  be  the  weakest 
link  in  his  clients’  cybersecurity  frameworks.  “He  came  to  the 
conclusion  that  we  were  as  big  a  target  as  anyone  else,”  says 
Angelo,  whom  Kalis  hired  for  his  IT  security  skills. 

The  first  time  he  stood  before  the  management  committee, 
Angelo  delivered  his  high-level  definition  of  risk:  In  order  to 
have  a  risk,  you  need  to  have  not  only  a  vulnerability  but  also 
a  threat  that  corresponds  to  that  vulnerability.  “As  an  organiza¬ 
tion,  you’re  going  to  be  managing  thousands  of  vulnerabilities 
every  day.  But  they’re  passive,”  says  Angelo.  “A  vulnerability  is 
like  a  piece  of  dynamite.  You  can  kick  it  around.  You  can  throw 
it.  But  without  a  wick  and  someone  to  light  it,  it’s  not  going  to  go 
off.  I  wanted  them  to  focus  on  what  the  true  threats  are.” 

That’s  where  Angelo’s  background  in  intelligence  came  in. 
He  started  thinking  about  the  types  of  people  who  might  be 
interested  in  the  data  the  law  firm  had  access  to,  how  they  might 
try  to  get  it,  and  how  best  to  protect  against  their  attempted 
break-ins.  “That’s  an  easier  pitch.  Then  you  know  where  to 
spend  your  money,”  says  Angelo.  “That  there  is  the  secret  sauce.” 

To  stay  on  top  of  potential  threats,  Angelo  digests  a  steady 
stream  of  third-party  research  on  the  changing  security  land¬ 
scape.  “It  used  to  be  difficult  to  get  that  kind  of  information,  but 
it’s  becoming  much  more  readily  available,”  he  says. 


The  Business  of  RISK 

“Cybersecurity  is  not  an  IT  issue.  It’s  a  business  issue,”  says  Lloyd 
Boyd,  CIO  of  Shale-Inland  Holdings,  an  industrial  supplier  of 
pipe,  valves  and  fittings.  “In  our  business,  we’re  not  dealing  with 
consumer  data  or  health  information,  but  we  know  that  an  attack 
has  the  potential  to  impact  business  operations.  And  my  board 
wants  to  know  what  that  risk  is  and  how  we’re  managing  it,”  he 
says. 

But  while  the  board  has  become  aware  of  the  importance  of 
cybersecurity  in  recent  years,  directors  don’t  deal  with  it  every 
day  like  Boyd  does.  “They  don’t  know  what  they  need  to  know,” 
says  Boyd.  “It’s  important  for  us  as  CIOs  to  effectively  commu¬ 
nicate  these  issues  in  practical  terms.  We’re  going  to  be  a  victim 
at  some  point,  and  we  need  to  be  prepared.” 

To  garner  board  support  for  making  the  necessary  prepa¬ 


Cybersecurity  is  "the  foremost  issue 
on  directors'  minds  right  now 

because  it's  tied  into  the  risk  structure 
of  the  organization," 

-Peter  Gleason,  president, 
National  Association  of  Corporate  Directors 


rations,  Boyd  applies  the  “human  action  model”  developed  by 
Austrian  economist  and  philosopher  Ludwig  von  Mises  for 
instigating  change:  Create  uneasiness  with  the  current  situa¬ 
tion,  deliver  a  clear  vision  of  a  better  way,  and  create  a  safe  path 
forward.  “To  get  the  board  interested,  you  have  to  make  it  clear 
why  they  should  be  interested,”  he  says. 

“Security  should  be  about  protecting  your  current  ability  to 
earn  and  retain  revenue,  and  reducing  the  risk  for  new  business 
in  the  future,”  says  Turpin.  “A  lot  of  times,  it’s  seen  as  a  subset  of 
IT,  but  in  reality  it’s  about  business  risk  management.” 

Gleason  agrees.  Cybersecurity,  he  says,  “has  to  be  seen  by 
the  board  as  part  of  the  enterprise  risk  structure  the  company 
must  address.” 

At  Principal  Financial  Group,  the  board  knows  that  inci¬ 
dents  are  going  to  happen.  “The  bottom  line  is  that  they  want 
a  sense  of  whether  we’re  taking  prudent  steps  to  manage  that 
risk,”  says  Scholten.  Is  the  defense-in-depth  approach  working? 
Has  monitoring  proved  effective?  Is  the  company  capable  of 
responding  to  incidents?  Scholten  doesn’t  just  provide  IT’s  own 
assessment  of  Principal’s  cybersecurity  posture;  he  also  brings 
in  third  parties  to  evaluate  the  state  of  security. 

Getting  Real  About  CYBERSECURITY 

Chances  are  most  board  members  have  heard  the  attention- 
getting  cliche  that  there  are  two  types  of  companies:  those  that 
have  been  breached  and  those  that  don’t  yet  know  they’ve  been 
breached.  “It  scares  the  pants  off  of  them,”  says  Gleason.  “But 
then  they’re  scratching  their  heads  thinking,  ‘So,  all  right . . . 
we’re  somewhat  protected?  What  does  that  mean?”’ 

Scare  tactics  get  old  fast.  “I  don’t  talk  that  way  to  board  mem¬ 
bers.  It’s  a  little  too  Chicken  Little,”  says  Boyd  of  Shale-Inland. 
“Yes  threats  are  pervasive,  and  the  likelihood  of  any  one  com¬ 
pany  being  breached  is  very  high.  But  there  may  be  things  that 
you  flat  out  don’t  care  about  protecting.  What’s  more  important 
is  understanding  the  risk  profile  of  the  company.  Where  are 
the  most  critical  assets  and  what  are  we  doing  to  protect  them?” 

At  Universal  Weather  and  Aviation,  Turpin  had  to  break 
it  to  his  board  that  it  would  take  awhile  to  get  the  company’s 
cybersecurity  house  in  order.  “They  were  like,  ‘What  would  it 
take  to  do  it  in  half  the  time?”’  he  says.  Short  of  fairy  dust,  he  told 
them,  it  couldn’t  be  done.  “Even  if  we  threw  a  lot  of  money  at  it, 
there  were  changes  we  had  to  make  to  the  infrastructure  and 
business  processes  and  significant  staff  training  that  needed  to 
be  done,  some  of  which  was  very  challenging  and  would  take 
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time,”  he  says.  “I  told  them  that  as  we  proceeded,  I  would  let 
them  know  if  there  were  opportunities  to  move  more  quickly. 
When  I  walked  out  of  the  meeting,  I  had  their  full  support.” 

Going  Beyond  the  HEADLINES 

While  extensive  media  coverage  of  high-profile  breaches  has 
spurred  board  members  to  care  more  about  IT  risk  than  ever 
before,  a  daily  diet  of  such  headlines  can  sow  panic.  “You  would 
think  it  would  help,  but  it  also  hinders,”  says  Boyd.  “It  can  even 
desensitize  the  board  because  they  know  that  the  press  can 
sometimes  overhype  things.  They  need  a  fair  and  balanced 
perspective  of  what  is  real.” 


Some  news  has  value.  “When  [a  breach]  occurs  in  your 
industry  or  meets  some  threshold  that  allows  you  to  reinforce 
the  message  that  what  you’re  doing  is  good  or  enables  you  to 
make  a  request  that  hasn’t  been  approved  yet,  it  might  be  a  good 
use  of  the  news  of  the  day,”  says  Cal  Slemp,  managing  director 
and  head  of  the  IT  security  and  privacy  practice  at  Protiviti. 
“But  we  don’t  recommend  a  steady  stream  of  [such  news].” 

Angelo  also  worries  about  overplaying  the  scary  headlines. 
“If  you’re  going  to  talk  about  Anthem  or  Home  Depot  or  Target, 
you’d  better  make  sure  it’s  relevant,”  he  says.  “I  keep  that  stuff 
out  of  my  presentations.  Everyone  can  read  it  on  their  own,  and 
that’s  what  got  us  before  the  board  in  the  first  place.” 
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Turpin  scoured  various  reports  of  security  incidents  and 
unearthed  an  attack  outside  his  industry  that  illustrated  an 
issue  that  Universal  Weather  and  Aviation  was  facing  inter¬ 
nally.  “I  found  an  example  that  clearly  showed  something  that 
could  happen  to  us  and  what  the  impact  would  be  if  it  hap¬ 
pened,”  he  says.  “It  was  the  best  example  of  a  worst-case  sce¬ 
nario.  It  was  clear  to  [the  board]  how  devastating  it  would  be 
to  the  business.”  When  major  vulnerabilities  are  exposed— a 
Shellshock  vulnerability  or  a  Heartbleed  bug— Turpin  sends 
out  a  companywide  message  to  let  everyone  know  that  his  office 
is  aware  of  the  issue  and  has  plans  in  place  to  handle  it. 

Keeping  the  Board  on  BOARD 

If  giant  banks  and  government  agencies  can  get  hacked,  how 
can  the  average  business  protect  itself?  That’s  a  question 
Jerry  Irvine,  CIO  of  IT  services  firm  Prescient  Solutions  and  a 
member  of  the  National  Cyber  Security  Partnership,  gets  a  lot. 
“Everyone  would  like  to  get  that  magic  cape  to  throw  over  their 
systems  to  protect  them  from  the  rest  of  the  world,”  he  says. 

Irvine  doesn’t  have  a  magic  cape,  but  he  suggests  something 
better.  “Give  [the  board]  something  to  touch  and  read  and 
understand  that  shows  you  are  making  progress  and  getting 
things  done,”  he  says.  “What  the  board  wants  are  metrics  to 
keep  on  top  of  what’s  happening.”  Some  key  metrics  include 
an  inventory  of  known  and  authenticated  devices  and  software, 
vulnerability  scans,  and  the  business  continuity  measures  “that 
would  be  necessary  in  case  of  a  security  breach  or  incident,” 
Irvine  says. 

CIOs  and  CISOs  can  partner  with  board  members  to  figure 
out  what  information  would  be  most  useful.  “What  we  see 
work  most  effectively  as  boards  are  pushing  into  this  area  is 
working  collaboratively  with  executives  in  the  organization 
to  work  through  what’s  important  and  settle  on  series  of  com¬ 
munications  and  metrics  on  governance  for  cybersecurity,” 
Irvine  says. 

There  are  no  rules  about  how  often  to  communicate  with 
the  board  about  IT  risk.  “You  don’t  want  to  over  alert.  But,  then 
again,  you  don’t  want  to  paint  too  rosy  a  picture,”  says  Peretti  at 
Alston  &  Bird.  “The  goals  should  be  to  create  meaningful  and 
consistent  reporting  that  establishes  credibility  and  paints  an 
honest  and  accurate  picture.” 

Boards  don’t  need  daily— or  even  weekly— updates,  but  they 
do  need  to  see  the  big  picture.  “The  board  should  be  focusing  on 
managing  risks,  not  detailed  operations,”  Turpin  says.  “They 
need  to  be  informed  enough  to  support  strategy.” 

Most  CIOs  and  CISOs  talk  directly  to  the  board  about  cyber¬ 
security  every  quarter. 

“It  has  to  be  frequent  communication.  It  can’t  be  once  a 
year.  That’s  not  going  to  give  a  sense  of  what’s  occurring  and 
how  well  positioned  we  are,”  says  Scholten.  He  meets  with 
this  board  five  times  a  year  and  also  provides  a  cybersecu¬ 
rity  report  at  each  monthly  executive  team  meeting.  “Things 
change  so  much,  it  has  to  be  frequent,”  he  explains.  “From 
that  report,  we  can  choose  what  should  go  on  to  the  board.” 
Scholten  also  has  ongoing  interactions  with  Principal’s  audit 
committee,  with  whom  he  conducts  a  “deep  dive”  into  IT  risk 
every  year. 


Just  as  important  as  Scholten’s  board  updates  are  the  active 
education  and  awareness  programs  he  conducts.  “We’re  really 
aggressive  with  respect  to  training  and  keeping  people  abreast 
of  new  trends.  Questions  from  the  board  become  better  as 
result.” 

Ideally,  you  should  institutionalize  a  process  for  providing 
updates  on  threats  and  corporate  risk  assessments,  whether  to  the 
audit  committee  specifically  or  the  board  as  a  whole,  says  Boyd. 

Such  updates  could  be  presented  via  risk  scorecards,  heat 
maps,  IT  security  dashboards  or  some  other  format,  says  Glea¬ 
son.  “There  are  a  variety  of  ways  to  present  it,  but  the  goal  is  to 
communicate  what  the  risk  looks  like  holistically,  and  how  it’s 
changed  since  the  last  update,”  he  explains. 

Building  Trust  Amid  UNCERTAINTY 

Since  Angelo  gave  his  first  cybersecurity  presentation  to  the 
board  in  2011,  his  interactions  with  directors  have  evolved. 
There  were  two  zero-day  exploits  in  the  press  in  those  early 
days.  “It  generated  a  ton  of  questions.  My  email  would  light  up,” 
he  recalls.  He  found  himself  having  to  schedule  meetings  with 
board  members  and  executives  to  discuss  the  incidents.  “But 
that  was  fine,”  he  explains.  “Once  I  was  able  to  explain  that  it 
had  no  impact  on  our  architecture,  the  issue  went  away.” 

Fast-forward  to  this  February’s  management  committee 
meeting  and  the  huge  Anthem  breach,  and  the  difference  is 
clear:  He  no  longer  gets  sidelined  by  the  latest  headlines  that 
ultimately  have  little  to  do  with  the  state  of  security  risk  at  K&L 
Gates.  Committee  members  were  certainly  aware  of  the  big 
breach,  but  they  trusted  that  Angelo  was  on  top  of  it  and  didn’t 
interrupt  his  regular  cybersecurity  update  at  the  meeting  with 
questions  or  concerns.  “A  year  ago,  it  would  have  dominated  the 
discussion,”  Angelo  says.  But  this  time,  he  says,  “I  was  able  to 
stick  to  the  facts.” 

Still,  CIOs  must  have  a  realistic  message  because  of  the  ever- 
evolving  threats.  “One  thing  I  always  close  with— and  they’re 
probably  tired  of  hearing  me  say  this— is  ‘Things  can  change 
overnight.’  You  can  go  to  bed  feeling  secure  and  wake  up  to  an 
exploit  that  we’re  vulnerable  to,”  Angelo  says.  “The  bad  guy 
only  has  to  be  right  [once].  We  have  to  be  right  all  the  time.”  The 
committee  understands  that,  but  members  are  confident  in  the 
company’s  security  posture  because  of  the  transparent  way  he 
discusses  security  strategy  with  them. 

“There  is  a  growing  persistent  threat.  Whether  it’s  from  state- 
sponsored  attacks  or  organized  crime,  there  are  so  many  easy 
ways  to  monetize  data  to  make  it  a  profitable  venture,”  says 
Boyd.  “At  the  same  time,  the  sky  is  not  falling.  We  don’t  have 
major  issues  every  day.  The  threat  is  more  sophisticated,  but 
so  are  our  protection  mechanisms.” 

Boyd  says  his  regular  communication  with  the  Shale-Inland 
board  makes  that  clear.  “It  works  very  well.  And  it’s  a  mature 
way  to  present  the  issues  and  enable  the  board  to  become  a  part¬ 
ner  in  guiding  what  we  want  to  do,”  he  says.  “Every  IT  person 
would  like  to  say,  ‘Just  trust  me  to  put  in  place  what  we  need.’ 
We  can’t  do  it  all,  and  we  can’t  do  it  fast  enough.  We  don’t  want 
to  create  a  false  sense  of  security.”  EC3 


Stephanie  Overby  is  a  freelance  writer  based  in  Massachusetts. 
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Keep  Sponsors  Hooked 


Successful  tech  initiatives  need  ongoing 
business  engagement.  Here's  how  to  get  it 

MICHAEL  MATHIAS,  BLUE  SHIELD  OF  CALIFORNIA 

TARGET  AREAS  OF  HIGHEST  PAIN,  DELIVER  EARLY  WINS 

When  I  arrived  here  two  years  ago,  IT  was  an  order-taker,  with  the  business  saying, 
“We  need  this,  and  here  is  how  we  want  you  to  do  it.”  That  led  to  stand-alone  solutions 
that  drove  a  lot  of  unnecessary  cost  and  complexity. 

We  took  a  step  back  and  set  up  a  process  based  on  enterprise  architecture.  The 
business  people  define  what  their  needs  are— absent  a  tech  flavor— and  we  build  a 
technology  architecture  around  that.  They  define  the  “what,”  and  we  define  the  “how.” 

Human  nature  being  what  it  is,  people  were  averse  to  change,  and  it  took  a  while 
to  show  them  the  value  in  the  new  approach.  The  key  was  to  deliver  some  early  wins 
that  improved  synergy,  drove  costs  down,  and  increased  speed  to  market.  Then  the 
business  rallied  around  it  and  started  to  get  more  engaged. 


Michael 

Mathias, 

SVP  and  CIO,  Blue 
Shield  of  California 


Walt  Meffert, 

CIO,  Hanger  Inc. 


Michael  Zill, 

EVP  and  CIO, 
CareFusion 
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Note 


We  started  in  the  area  where  our  business  partners  were  feeling  the 
most  pain— our  member  sign-up  process.  I  had  set  up  a  similar  enterprise 
architecture  program,  but  we  had  to  tailor  it  for  this  smaller  organization. 
It  had  to  be  more  streamlined  and  not  take  up  as  much  of  the  business 
users’  time  and  energy.  We  now  accomplish  the  same  work  in  a  much  more 
condensed  fashion. 


WALT  MEFFERT,  HANGER  INC. 

START  WITH  BUSINESS  LEADERS 

We  are  in  the  middle  of  one  of  the  largest  transformational  projects  in  our 
company’s  150-year  history:  the  rollout  of  our  electronic  health  records 
system.  I’ve  overseen  a  number  of  transformational  projects  over  the  years, 
and  the  keys  are  engagement,  engagement,  engagement.  If  you  don’t  have 
that  from  the  CEO  level  down,  it  won’t  work. 

We  started  by  identifying  our  “fab  five,”  one  expert  from  each  part  of 
the  business  that  would  be  affected:  compliance,  clinical,  administrative, 
finance  and  IT. 

Every  aspect  of  the  project,  from  gathering  requirements  to  changing 
workflows  to  training,  went  through  this  team.  We  put  an  engagement 
matrix  together— a  list  of  all  stakeholders  and  their  levels  of  responsibility 
and  decision-making— so  we  knew  who  needed  to  be  involved  at  what  steps. 

Our  fab  five  were  pulled  out  of  their  positions  to  work  on  this  full  time 
in  the  beginning.  But  this  is  a  five-year  project,  and  we’ve  completed  the 
majority  of  development,  so  some  have  moved  back  to  their  original  roles 
and  consult  on  the  project,  while  others  continue  full  time.  The  stakeholders 
change  over  time  and  have  different  levels  of  involvement.  But  you  have  to 
have  engagement  to  be  successful.  IT  can’t  be  out  in  front. 

MICHAEL  ZILL,  CAREFUSION 

NEVER  STOP  PITCHING  THE  PROJECT'S  VALUE 

Business  engagement  is  so  important  that  we  don’t  even  think  about  doing 
a  project  without  a  business  sponsor,  and  that  includes  our  infrastructure 
renewals  and  upgrades,  which  our  CFO  and  CEO  sponsor.  Even  if  it’s  a 
technical  upgrade  to  SAP  with  no  new  functionality,  we  still  need  business 
users  to  test  it.  So  you  have  to  have  someone  in  the  business  who  can  own 
that  project  and  get  people  motivated  about  it. 

If  we’re  going  to  introduce  new  sales  analytics  capabilities  for  the  iPad, 
our  sales  team  has  to  own  it.  They  present  the  business  case  to  the  executive 
committee,  and  continue  to  communicate  the  project’s  value  throughout  the 
normal  course  of  their  business,  like  at  town  hall  meetings. 

It’s  not  too  difficult  to  get  that  level  of  engagement,  because  we  don’t  take 
on  projects  that  the  business  isn’t  really  excited  about.  One  thing  that  has 
made  business  engagement  even  easier  has  been  shortening  the  lengths  of 
our  projects— we  won’t  do  anything  that  takes  longer  than  six  months,  and 
three  months  is  even  better.  It’s  easier  to  keep  people  engaged  when  they  can 
see  the  finish  line.  We’d  rather  deliver  something  sooner  than  everything 
never.  And  in  our  all-hands  meetings,  our  CEO  celebrates  business-driven 
IT  projects  alongside  our  company’s  latest  new  medical  product  advances. 
That’s  very  motivating. 


Boosting  IT  Communication 


download  Fouroutof  five  IT  leaders 
claim  that  building  trust  and  credibility 
is  highly  important.  But  only  four  out 
of  100  believe  they  are  highly  effective 
in  how  they  communicate  with  busi¬ 
ness  peers.  That's  one  of  the  findings 
from  the  CIO  Executive  Council's  second 
annual  "Power  of  Effective  IT  Communi¬ 
cation"  survey.  Download  the  report  to 
read  dozens  of  case  studies  highlighting 
the  issues  that  IT  leaders  face  as  they 
strive  for  effective  and  dynamic  col¬ 
laboration  with  business  people.  You'll 
learn  behaviors  and  best  practices  that 
can  turn  IT  leaders  into  true  business 
peers.  In  an  age  defined  by  change  and 
disruption,  a  technology  leader's  ability 
to  market  IT's  value  has  never  been  more 
critical,  council.cio.com/itcomm 


Women  Taking  Charge 


|oin  The  council's  Women  in  Leadership 
community  is  embarking  on  a  three-part 
webcast  series  that  will  explore  "the 
power  of  you,''  by  identifying  how  your 
personality,  social  voice  and  authenticity 
affect  your  career  as  a  female  leader.  Led 
by  Pamela  Rucker,  co-chair  of  the  com¬ 
munity,  each  webcast  will  feature  polls, 
Q&A  sessions,  case  studies  and  guest 
speakers.  Members  of  the  Women  in 
Leadership  community  share  a  common 
goal:  to  take  charge  of  their  professional 
development,  council.cio.com/wilpower 


Leading  Transformation 


watch  A  major  challenge  for  CIOs 
today  is  transforming  IT  organizations 
from  order-takers  into  order-shapers. 
Among  other  things,  that  involves  asking 
technologists,  whose  tool  sets  change 
every  18  months  or  so,  to  be  operational, 
strategic,  consultative,  innovative, 
customer-focused  and  security-minded. 
And  that's  just  IT  transformation.  CIOs 
and  their  teams  are  also  leading  cultural, 
business  process  and  even  business 
model  transformations.  Visit  the  CIO 
Executive  Council's  website  May  7  to 
hear  IT  leaders  discuss  transformation 
with  executive  recruiter  and  author  Mar¬ 
tha  Heller,  council.cio.com/maycio 
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More  Than  Shelter 

IT  is  key  to  matching  clients  with  corporate  housing,  says  Ric  Villarreal, 
president  of  Oakwood  Worldwide  by  martha  heller 
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How  is  technology  affecting 
your  business? 

The  corporate  housing  industry  is 
becoming  much  more  social.  The 
marketplace  is  so  networked  that  our 
competitors  are  now  also  our  suppli¬ 
ers,  and  we  are  using  technology  to 
connect  with  them. 

Our  EPIC  sourcing  platform 
allows  us  to  distribute  our  clients’ 


corporate  housing  needs  to  our 
provider  network.  A  link  directs 
suppliers  to  a  system  where  they 
can  see  specific  requirements— for 
example,  a  one-bedroom  apartment, 
on  the  first  floor,  in  a  certain  location 
and  within  a  certain  price  range.  We 
then  receive  responses  from  multiple 
suppliers  that  allow  us  to  propose 
options  that  best  fit  the  client’s  needs. 

We  also  have  a  platform  called 
Xora  that  automates  the  coordina¬ 
tion  of  apartment  inspection  and 
cleaning.  The  service  crew  inputs 
before  and  after  images  of  the  unit 
into  Xora,  which  integrates  with  our 
timekeeping  system  and  allows  us  to 
track  how  long  the  cleaning  took,  the 
crew’s  location  and  who  serviced  the 
apartment. 


You  used  to  be  Oakwood  World¬ 
wide's  CIO;  now  you're  the  presi¬ 
dent,  with  a  CIO  reporting  to  you. 
Does  your  CIO  experience  affect 
how  you  manage  that  function? 
When  I  started  as  CIO,  I  asked 
our  business  leaders  to  talk  to  me 
about  business  strategy  and  goals, 
not  about  buttons  and  applica¬ 
tions.  When  our  new  CIO,  Marina 


Lubinksy,  joined  us,  I  asked  her  to 
take  on  responsibilities  outside  of  IT. 
Twice  now,  she  has  led  our  human 
resources  function,  where  she  was 
asked  to  solve  problems  that  she 
wasn’t  used  to  solving.  That  experi¬ 
ence  has  made  her  a  stronger  CIO 
and  member  of  our  executive  com¬ 
mittee.  Marina  is  also  responsible 
for  our  scholarship  program.  These 
roles  have  given  Marina  the  experi¬ 
ence  to  contribute  in  areas  where  IT 
isn’t  typically  involved.  My  role  is  to 
help  Marina  maximize  her  influence 
on  our  business. 

Has  technology  changed  how 
you  lead? 

I  have  much  better  tools  for  decision¬ 
making.  I  can  access  information  at 


a  very  high  level  or  get  down  into 
the  weeds.  I  would  say  that  80  per¬ 
cent  of  my  actions  are  based  on  key 
performance  indicators,  compared 
with  less  than  50  percent  in  the  past. 
I  used  to  spend  much  more  time  dig¬ 
ging  into  the  actual  data,  and  because 
the  data  was  not  reviewed  and  ana¬ 
lyzed,  it  wasn’t  very  conclusive. 

What  do  you  find  especially 
exciting  in  technology  today? 

I  am  excited  to  see  all  the  possibili¬ 
ties  that  a  more  sophisticated  user 
interface  can  have  on  our  business. 
We  are  getting  much  better  at  under¬ 
standing  who  our  customers  are  and 
what  they  need.  The  next  horizon  is 
to  develop  a  user  interface  that  is 
intuitive,  using  what  we  know  about 
the  user  to  give  our  guests  a  better 
experience.  If  the  guest  is  relocating 
and  has  children  and  is  concerned 
about  location  and  the  quality  of 
schools,  or  is  a  consultant  “road 
warrior”  who  wants  to  be  closer  to 
their  work  location,  the  user  inter¬ 
face  should  adjust  accordingly.  If 
the  guest  is  a  government  worker 
restricted  by  a  per  diem  or  a  con¬ 
sultant  who  needs  a  special  billing 
structure,  the  system  should  guide 
them  through  the  process. 

The  vision  is  to  drive  toward  a 
reservation  process  for  corporate 
housing  that  is  more  like  Zappos, 
where  you  log  in  and  the  system 
knows  you  love  Uggs. 


Martha  Heller  is  president  of  executive 
recruiting  firm  Heller  Search  Associates 
and  author  of  The  CIO  Paradox,  Follow 
her  on  Twitter:  @marthaheller. 
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Pre-terminated 

Patch  Panel  System 


Cabling  Systems  Simplified 

cablesys.com/pnp  800-555-7176  cs@cablesys.com 

©Copyright  2015,  Cablesys  ‘Compared  to  the  20th  century  cabling  method. 


Adding  a  single  patch  panel? 


It  is  the  21st  century  and  life  should  be  simpler,  faster,  and  better. 
So  why  are  you  still  pulling  cables,  punching  down  panels  and 
making  a  mess  of  your  data  center  cabling  project?  It’s  time  to 
look  into  a  21st  century  cabling  system  solution. 

Introducing  Cablesys’  Simplified  Cabling  System  -  Pre-terminated, 
Pre-bundled,  Pre-labeled,  and  Ready-to-go.  With  a  single 
screwdriver  you  can  install  the  patch  panels  in  minutes  without 
the  need  to  hire  additional  certified  technicians  or  wait  for 
materials  from  multiple  vendors.  Better  yet,  each  Simplified 
Cabling  System  comes  with  a  15  year  end-to-end  performance 
warranty  right  out  of  the  box. 

One  screwdriver,  15  year  warranty,  installed  in  minutes  and  save 
50%  or  more'.  This  is  the  21st  century  Cabling  System  -  Simplified. 
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dtSearch 


Instantly  Search 
Terabytes  of  Text 


Using  dtSearch's  own  document  filters,  supports 
popular  file  types,  emails  with  multilevel  nested 
attachments,  databases,  other  static  and  dynamic 
web  data 


Highlights  hits  in  all  data  types;  25+  search  options 

The  dtSearch  product  line  includes  both  enterprise 
and  developer  products,  including  SDKs  for  multiple 
platforms;  APIs  for  .NET,  Java,  C++,  SQL,  etc. 

www.dtSearch.com  i-800-it-finds 
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Retrieval®  since  1991 


Visit  www.dtSearch.com  for 

•  hundreds  of  reviews  and 
case  studies 

•  fully-functional  evaluations 
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opinions  and  best  practices  with  your 
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IT  careers 
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Let  us  help  you  put  together 
an  efficient,  cost  effective 
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With  100+  branch  offices  located 
across  the  US,  Experis  US,  Inc.,  is 
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across  US.  EOE/MF/DV.  Use  job  code 
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US,  Inc.  Attn.  R.  Block,  100  Man¬ 
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rblock.resumes@experis.com  . 
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From  Tablet  to  Table 

Learning  to  cook  involves  more  than  reading  a  recipe.  At  the  Institute  of  Culinary  Education  (ICE),  using 
textbooks  to  teach  the  nuanced  skills  a  good  cook  requires  just  wasn’t  cutting  it.  So  the  institution  became 
one  of  the  first  cooking  schools  to  replace  textbooks  with  iPads  so  students  could  learn  via  video,  photos 
and  interactive  text.  “Students  want  to  relate  to  the  [material]  in  a  more  portable  format,  and  electronic  is 
the  desired  means  of  delivery,”  says  Richard  Simpson,  director  and  vice  president  of  education  at  ICE.  “This 
is  a  quantum  leap  forward.”  Students  use  their  iPads  to  record  video,  take  notes,  snap  pictures  and  com¬ 
municate  with  teachers  and  classmates.  They  can  record  classroom  cooking  demonstrations  and  view  them 
later  while  re-creating  dishes  for  homework.  They  can  also  access  lesson  plans  and  other  materials  with  an 
app  called  Inkling,  where  they  can  click  on  keywords  and  watch  videos.  Teachers  use  an  app  called  Content 
Locker  to  post  assignments,  discussion  questions  and  quizzes.  The  tablets  are  key  to  student  satisfaction, 
says  Simpson,  adding,  “We’re  trying  to  meet  students  where  they  want  to  be.”  —Lauren  Brousell 


MAY  1,  2015  ;  www.rio.com 


PHOTO  BY  THOMAS  BETHGE/SHUTTERSTOCK 


Strategic  Marketing  Services 


Security  and  scalability 
are  driving  the  move 
to  the  hybrid  cloud. 


Once  considered  an  experimental  approach, 
the  hybrid  cloud  is  gaining  trust  among  IT 
professionals.  In  fact,  recent  IDG  research 
shows  that  more  than  50%  of  workloads  will 
be  cloud-based  within  the  next  two  years. 


What’s  changed? 

Traditionally,  concerns  about 
performance,  reliability,  and  security 
have  made  IT  professionals  reluctant  to 
move  sensitive  workloads  to  the  cloud. 


But  with  more  sophisticated  hybrid 
cloud  solutions  entering  the 
marketplace,  these  worries  have  been 
replaced  with  enthusiasm  of  the  lower 
costs,  agility,  and  speed  that  are 
hallmarks  of  the  hybrid  cloud. 


Performance,  security,  and 
consistency— without  added  complexity. 


' /-V|  75%  of  organizations 
(v)  have  integrated 

— J  (or  want  to  integrate) 
public  cloud  services  with  their 
on-premises  data  center  resources. 


~ZZT\  Leam  more  about  the  hybrid  cloud, 

-  Download  the  white  paper 

_  from  IDG  Research  at 

cio.com/whitepapers/vmwarehybridcloud 


Cloud-based  workloads  will 
rise  to  more  than  50% 
within  two  years. 


IT  Services  delivered  via 
Hybrid  Cloud  will  gfOW  4X 
in  the  next  two  years. 


ware 


WITH  A  MOBILE  WORKFORCE, 
LAPTOP  FAILURE  ISN’T  AN  OPTION. 


YOU  DEPLOY  SANDISK  SSD-ENABLED 
LAPTOPS.  AND  REDUCE  BOTH 


Welcome  to  a  flash-accelerated  workforce. 


To  a  mobile  workforce,  their  laptops  are  their  lifeline.  With  SanDisk’s  solid  state 
drives,  not  only  do  laptops  boot  and  load  applications  faster,  but  hardware-related 
IT  help  desk  tickets  are  reduced  by  as  much  as  59% — all  while  delivering  a  lower 
TCO.*  That’s  why  SanDisk  has  been  expanding  the  possibilities  of  storage  for  over 

25  years,  sandisk.com/clientssd 


SaiDisk 
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